An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Monthly Archives: May 2013

Eight members of the Congressional Bi-Partisan Privacy Caucus sent last week a letter to Google’s CEO, Larry Page, requesting him to answer several questions about Google’s Project Glass by June 14. The eight representatives are seeking to find out if and how Google Glass could infringe on people’s privacy.

Google announced its Google Glass project in April 2012. It was first introduced as a cool gadget allowing young men to woo their girlfriends playing the ukulele and parents to take pictures of their children while holding them by both hands. It immediately caught a lot of media attention and was even named one of the best inventions for 2012 by Time.

It not only allows users to take pictures on the go, without having to hold a camera, but also to receive and send emails, to talk to friends and colleagues while seeing them on video, to share their geolocation by checking in, to access the internet, and to update their social media status.

Multitasking, yes, and some of these features may be a possible threat to the privacy of persons around a Google Glass user. In their letter, the congressmen noted that one does not yet know if Google has plans to incorporate privacy protection in its new product.

These questions are not hypothetical, as Google Glass is already selling, for about $1,500, to a few chosen customers. Maybe you have already spotted someone wearing them?

The letter to Larry Page notes that a bar in Seattle has already banned the device. A tongue-in-cheek video about how obnoxious a Google Glass user could be is circulating on the Internet.

Facial recognition is probably the most potentially invasive feature of Google Glass. Motorola Mobility, owned by Google, acquired last Fall Viewdle, a facial recognition company, just like Facebook had acquired Faces.com a few months earlier. Facebook reintroduced its photo tag suggestion feature on January 30, 2013.

However, Google’s Chairman Eric Schmidt stated in 2011 that his company would not build a facial recognition database. He was quoted then saying that “[h]opefully the French or any other country won’t pass laws that are so foolish they force Google to not be able to operate in those countries.”

Would it be “foolish” for legislators to regulate Google Glass? And should the new challenges to privacy that Google Glass may cause be regulated by law or by… etiquette? Indeed, Google Glass offers many opportunities to break social etiquette, including surreptitious filming. In April, Eric Schmidt declared that people will have to develop a new etiquette for Google Glass and similar products.

But etiquette may not be the best path to regulate the privacy intrusion risks caused by Google Glass, and Little Miss Manners should not be sole in charge of regulating privacy. We’ll soon see the letter sent last week is the legislators’ first step toward legislation.

On May 6, the Federal Trade Commission (“FTC”) voted unanimously to retain the July 1, 2013 date for implementation of the updated Children’s Online Privacy Protection Rule (“COPPA”).The FTC vote took place approximately two weeks after online industry and business organizations, including the Direct Marketing Association (“DMA”) and the U.S. Chamber of Commerce, sent a letter to the FTC seeking an extension of the effective date for the COPPA Rule amendments, from July 1, 2013 to January 1, 2014.

In voting to retain the original date for implementation of the updated Rule, the Commission noted that the July 1 implementation date, along with the rule changes, were announced in December 2012, which provided affected companies with more than six month to prepare for the updated Rule.The FTC also noted various meetings and consultations it has held during the past several months with organizations and individual businesses to discuss how companies can ensure compliance with the amended Rule.In addition, the FTC noted the recent release of its updated COPPA Rule Frequently Asked Questions (“FAQs”) document that includes a number of questions (and answers) that directly address how the amended Rule differs from the original Rule, including the following:

• What should I do about information I collected from children prior to the effective date that was not considered personal under the original Rule but now is considered personal information under the amended Rule?

• Other than the changes to the definition of personal information, in what ways is the new Rule different?

• Will the amended COPPA Rule prevent children from lying about their age to register for general audience sites or online services whose terms of service prohibit their participation?

Notably, the online industry had cited the lack of an updated FAQs document a key reason for its request to extend the implementation date to January 2014.

The FTC recently announced a public workshop to examine the privacy and data security implications of the Internet of Things (IoT). The workshop, which will take place on November 21 this year, indicates a growing interest – both here and in Europe – in the policy issues raised by this rapidly emerging business model. The FTC announcement follows a signal from new FTC Chairwoman Edith Ramirez that she intends to include IoT in her privacy agenda.

The Internet of Things describes a world in which machines can communicate with one another via the Internet without human intervention. The Swedish mobile device vendor Ericsson estimates that around 50 billion devices worldwide will be IoT enabled by 2020.

The business model has many positive applications. Included here are energy efficient smart grids, which have the proven potential to promote energy efficiency. Another interesting IoT application concerns auto insurance. If the key variables used to calculate insurance premiums are distance driven, location, time of day, and driving style, and these variables can be measured with precision using IoT technologies, then drivers and insurance providers may be positioned to better calculate bespoke insurance rates.

These and other IoT applications look set to become more and more ubiquitous as the technologies underpinning them – data storage, mobile data transfer, and cloud computing – look set to come down the cost curve in the coming years. However, as with Internet enabled technologies generally, IoT raises potential privacy and data security concerns. The FTC is therefore requesting public comments on the following issues prior to the November workshop:

• What are the unique privacy and security concerns associated with smart technology and its data? For example, how can companies implement security patching for smart devices? What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
• How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve health-care decision making or to promote energy efficiency? Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances?

FTC staff welcomes submissions to its IoT email account before June 1, 2013.

Meanwhile, on the other side of the Atlantic both the EU and the OECD are tracking IoT from a policy standpoint in general; and a privacy and security standpoint in particular. The EC Commission launched a public consultation similar in nature to the FTC’s in April last year, and recently published its findings. According to the Commission, these findings will be relied on in “future policy initiatives.”